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(54) Method and apparatus for personal information access control 



(57) For control of access of personal information in 
accordance with a privacy policy defined for a service 
provider, a method is disclosed, wherein the method 
comprises the steps of providing service provider re- 
quest data from a service provider to an end user device, 
the service provider request data being indicative of per- 
sonal information of a user of the end user device to be 
accessed by the service provider, providing to the serv- 



ice provider first user data including at least one of per- 
sonal information of the user as requested by the service 
provider or rejections of personal information requested 
by the service provider, creating privacy receipt data in- 
cluding the first user data and data being indicative of 
the service provider, and providing the privacy receipt 
data to the end user device. 
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[0001 ] The present invention is related to personal in- 
formation provided and communicated in a technical 
- system. In particular, the present invention is related to 
. / personal information of a user provided via a telecom- 
munications network to a service provider from which 
-,' . the user has requested a service. 

f^ Ka; State of the Art 

iCir'. £[WQ?] Many network and service providers, such as 
W^^mobile communications networks and Internet provid- 
-.T /^ers, request personal information of a user for delivering 
' a service requested by the user, in order to ensure that 
; -personal information is protected against misuse, e.g. 

by the contacted service provider, and to comply with 
. legal regulations concerning the protection of personal 
information existing in many countries, the privacy and 
.^protection of personal information is an issue of increas- 
£ Vjjng importance. 

V V[G0G3] For the Internet, the World Wide Web consor- 
. .. V.tium has developed an Internet privacy protocol, namely 
<;M* l ; : t\\&P3P (platform for privacy preferences). This protocol 
^•fHis user agent based and forces the operator service net- 
V^Vwork and other service providers to implement the pri- 
vacy policy in special syntax and semantics. Further, us- 
ers have to configure their own privacy policy. 
. [0004] Privacy policies of users and service providers 
are cross-checked against each other. Here fore, the pri- 
vacy policy of the service provider has to be machine 
. readable and the user has to read detailed questions 
and to confirm/answer or reject them. This approach re- 
sults in a user behavior wherein privacy policies of serv- 
ice providers are not entirely read and uncritically ac- 
J .^cepted, e.g. by simply clicking the "accept" button. Fur- 
/ Xher, the P3P protocol requires a communication of large 
data volumes and many "round trips" (i.e. data commu- 
nications between a service provider and a user and 
vice versa). 

[0005] Dueto such drawbacks, the P3P protocol, orig- 
inally developed for the wired environment of the Inter- 
net, is not a proper solution for systems/networks serv- 
icing mobile end user devices by wireless communica- 
tion links. Examples for such a mobile environment in- 
clude telecommunications systems (e.g. GSM net- 
works, UMTS networks) comprising mobile telephones, 
portable computer systems, paging devices and the like. 
[0006] Currently there is no functionality available for 
mobile environments to enable users accessing infor- 
mation such as: 

Was there personal information transferred? 
What kind of personal information has been trans- 
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ferred? 

To whom has personal information been trans- 
ferred? 

What is the privacy policy of the party which has 
5 obtained the personal information? 

[0007] Such information will be essential for the users 
and services provided in a mobile environment, since 
there are usually two basic options existing: 
10 [0008] Users can request services from the service 
network of the operator providing the respective mobile 
environment. In this context, operators include opera- 
tors actually operating a mobile environment and oper- 
ators just acting as providers of a mobile environment. 
is Alternatively, users can use a service provided by an- 
other service providing party. For the latter case, the pri- 
vacy issue is even more essential, since some services 
request personal information, such as the address, the 
geographic location, the bank account, the credit card 
20 number and the like of a service requesting user. Per- 
sonal information should be only provided to the service 
providing party by the operator of the mobile environ- 
ment after agreement of the user. Otherwise, users 
could loose their trust in their mobile environment oper- 
25 ator, and mobile environments could loose the status as 
trusted systems, especially with respect to services pro- 
vided by parties other than the mobile environment op- 
erators. Further, users will only cooperate with service 
providers if the privacy of the users will be properly pro- 
30 tected. 

OBJECT OF THE INVENTION 

[0009] The object of the present invention is to provide 
35 for a solution wherein the provision of personal informa- 
tion to be accessed by a third party can be easily con- 
trolled and monitored. Further, the present invention 
should provide information how provided personal infor- . 
mation will be accessed and used. In particular, the 
40 present invention should provide such a solution for ap- 
plications in mobile environments, such as mobile com- 
munications systems. 

BRIEF DESCRIPTION OF THE INVENTION 

45 

[0010] The basic idea underlying the present inven- 
tion is to provide a so called privacy receipt to a user 
who has communicated personal information to a third 
party, such as a service provider. The privacy receipt 
50 includes data indicating who obtained when the user's 
personal information and which kind of information has 
been provided by the user or by an operator employed 
by the user for communications in relation with the third 
party and in particular the service provider. 
55 [0011] Further, the privacy receipt may comprise in- 
formation related to a privacy policy of the third party to 
which the user's personal information has been commu- 
nicated. In this context, a privacy policy defines how a 
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third party has bound itself to handle provided personal 
data, wherein the privacy policy can be defined for and/ 
orby the third party and/orcan be based on general and/ 
or legal rules and regulations. In particular, it is contem- 
plated that such a privacy policy is valid for the service 
provider. However, the proposed method is also appli- 
cable if no privacy policy of the third party exists or if it 
is unknown to the user. 

[0012] In particular, the present invention provides for 
a solution suitable for systems and environments includ- 
ing mobile end user devices, such as mobile tele- 
phones, and wireless communication links. Moreover, 
the present solution ensures that manipulations of a pri- 
vacy policy accepted for a provision of personal infor- 
mation can not be subsequently performed, e.g. by the 
third party receiving the provided personal information. 
[0013] In greater detail, the method according to the 
invention provides for personal information access con- 
trol, wherein a user providing personal information re- 
ceives a privacy receipt which can be used by the user 
to get knowledge of the party having received the per- 
sonal information and which kind of personal informa- 
tion was provided. 

[0014] To inform a user which kind of personal infor- 
mation should be provided, a service provider, such as 
an Internet service provider, communicates service pro- 
vider request data to an end user device of the respec- 
tive user. The service provider request data define per- 
sonal information of the user which will be accessed and 
used by the service provider. 

[0015] The service provider request data can be pro- 
vided by the service provider in response to service re- 
quest data communicated from the end user device to 
the service provider, wherein the service request data 
indicate a request of the userfor a service to be provided 
or delivered by the service provider. 
[0016] On the basis of the service provider request 
data, user data are provided to the service provider. The 
user data can include all personal information request- 
ed, or several of the requested personal information and 
rejections of the remaining requested ones. Usually, 
service providers requesting personal information as a 
pre-requisite for providing/delivering a requested serv- 
ice demand that a minimum of personal information is 
provided by a user. Nevertheless, it is contemplated that 
the user data can include only rejections of personal in- 
formation request by the service provider, e.g. the user 
is not willing to provide any personal information. 
[0017] For generating the above named privacy re- 
ceipt, privacy receipt data are created which include at 
least one of (parts of) the user data and data character- 
izing the service provider. 

[001 8] I n order, for example to control which party has 
obtained which user data, the privacy receipt data are 
provided for access by the end user device and its user, 
respectively. 

[001 9] Some service providers do not only require the 
provision of personal information, but also request a 



confirmation indicating that the user agrees to provide 
personal information and access the same. In this re- 
spect, the privacy receipt data can serve as such a con- 
firmation by providing the privacy receipt data to the 
5 service provider. 

[0020] As set forth above, the method can be applied 
for the case where a privacy policy is valid for the service 
provider. 

[0021] For communications purposes between the 

10 end user device and the service provider, a communi- 
cations server can be provided. Examples for the com- 
munications server include at least one of computer and 
telephone network operators, providers, systems and 
base station utilizing wire and wireless communication 

15 links, computer network servers, and the like. 

[0022] Independently of the existence of a communi- 
cations server, the user data can be provided by the end 
user device to the service provider. 
[0023] In case a communications server is employed, 

20 the user data can be provided by the communications . . - -;r 
server to the service provider wherein here the user data t = 
are determined in accordance with indications from the 
end user device. Such indications include at least one . * g 
of information concerning personal data which can be 'x*;. : < 

25 provided to the service provider in response to the servt.;^''V~:ri : : 
ice provider requests data and information of personal ,V- 
data which should not be communicated to theservice : 
provider. 

[0024] Having received the user data, the service pro- 
30 vider can access the personal information and, if re- 
quested, deliver a service. 

[0025] Further, it is possible that the service provider -^fr 

provides its privacy policy which may be included in the 

privacy receipt data. . ," -1\ 

35 [0026] In the case the privacy policy or data being '^"i^jf?;^ 
dicative thereof is included in the p rivacy receipt, the end r 
user device is enabled to access the privacy policy withU; . \ C : £ 
out further action. In many cases, users are not interest^ 
ed in a privacy policy itself but only in information con-:.: 

40 ceming personal inf ormation communicated to the serv- ^f^Bf 
ice provider. Here it is preferred, that the privacy receipt 
data, optionally including the privacy policy, is provided . 
by the service provider or by means of a third party upon • • 
request by the end user device in order to enable users | : r > - >- 

45 usually not interested in the privacy policy to obtain the 

respective privacy policy. . . . 

[0027] The privacy receipt data can also include fur- - I-^.vL; 
ther information related to the provision of the user's per- • f 
sonal information such as data being indicative of the ' ; 

so time when the user data has been provided to the serv, i 

ice provider, the creation time of the privacy receipt data; * -j ^■■ >t .: ; 
the identity of the user, the identity of the end user de- j 
vice, and the like. Moreover, the privacy receipt data can 
include information that the privacy policy or respective 

55 data has been provided. 

[0028] Forthe creation of the privacy receipt data, the 
communications server for the end user device can be 
employed. Here, the provision of the privacy receipt data 
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f >tb the end user device is performed by communicating 
. '^the privacy receipt data from the communications server 
; :r i^.to the.end user device. 

i[Q029] .In a preferred embodiment of the method ac- 
^V^cbrding to the invention, the service provider includes 
^privacy policy data being indicative of its privacy policy 
^j4;in the service provider request data and communicates 
'■^ihe sarhe to the communications server. The communi- 
ng cations server removes the privacy policy data from the 
service provider request data and creates the privacy 
,1-. . receipt data optionally including the privacy policy data. 
'7 in order to reduce storage requirements, e.g. if a plural- 
Mty of users receive data requests from the same service 
^provider or a user often, regularily accesses a service 
- -^provider, it is contemplated to separately store the pri- 
" Vacy policy. Then, the pnvacy receipt data can include 

i.&fi" '■• £M pointer to the privacy policy for retrieval. 

■ [0030] On the basis of the requested personal infor- 

;'!^'v^lJ|^# n defined in the service provider request data, the 
\x. : - communications server generates communications 

rjk}4^;tA : • 7 - server request data indicating which personal informa- 
: ; r tion is requested by the service provider and communi- 
v : \;;^yv" {?f --cates the communications server request data to the 
i. end user device. In response thereto, the end user de- 
\J^ffy: ;.f : ', - . .vice: transmits response data being indicative of one of 
;7* - j at least the provided and rejected requested personal 
r = /* % *f , "~ information to the communications server. The commu- 
"<v^y* ' : y^*- \'nications server communicates communications server 
' ■ ; 7 .. /data to the service provider, wherein the communica- 
: L ;j:.tipns server data comprises personal information con- 
stained in the response data or determined according to 
-.indications obtained from the end user device. In case 
of personal information indications, the end user device 
does not provide personal information as such, but in- 
', • formation which kind of persona! information the com- 
munications server is allowed to provide to the service 
provider. In relation to the service provider request for 
.j personal information and in accordance with such indi- 
: cations, the communications server accesses or deter- 
'. mines respective personal information and communi- 
cates the same to the service provider. Such indications 
^include provision of the user's name, address, bank ac- 
" count, credit card number, etc. and location data of the 
user and the end user device, respectively, which can 
e.g. be determined by the communications server oper- 
ating as operator of a mobile communications system. 
Preferably, personal information provided from the com- 
munications server to the services provider is commu- 
nicated as "hard" data, i.e. data actually including per- 
sona! information. For security purposes, such "hard" 
data can be encrypted. 

[0031] In order to facilitate the provision of personal 
information, user data can be defined which can be, au- 
tomatically without further action by the end user device 
or its user or according to a confirmation or selection of 
the user, communicated to the service provider in re- 
sponse to a respective request. In the case the automat- 
ically communicated user data coverall requested per- 
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sqnal information, a user action is not necessary or the 
user only needs to confirm the data transmission and, 
preferably, selects data for transmission. 
[0032] In order to ensure that personal information is 
provided to the service provider only in the case the user 
of the end user device has agreed to provide personal 
information, it is contemplated to communicate user da- 
ta automatically to the service provider if the response 
data includes at least one personal information as re- 
quested by the service provider, i.e. the response data 
do not include only rejections of requested personal in- 
formation. 

[0033] Preferably, however, the user receives a list of 
request data and selects from the list data which shall 
be provided. Then, according indications are provided 
to the communications server which can provide the 
service provider with respective personal information, e. 
g. included in the user data. 

[0034] In order to reduce the amount of data commu- 
nicated from the communications server to the end user 
device, it is possible that the communications server re- 
quest data do not include the privacy policy data. Then, 
it is preferred that the privacy policy data are stored by 
the communications server such that the end user de- 
vice can, if desired, obtain the privacy policy by sending 
a respective request to the communications server. 
[0035] In a further preferred embodiment, data com- 
munications between the service provider and the end 
user device and vice versa, respectively, are encrypted 
such that the communications server can not access 
and read data of the service provider and the end user 
device. Here, the data encryption should be performed 
such that the communications server can recognize that 
the service provider requests personal information in or- 
der to create the privacy receipt data. Further, it is con- 
templated that the data encryption allows the communi- 
cations server to remove the privacy policy data. 
[0036] In another preferred embodiment, the service 
provider request data are communicated from the serv- 
ice provider directly to the end user device by tunneling 
a communications server for the end user device, i.e. 
the communications server can not access data com- 
munications (data traffic) exchanged between the serv- 
ice provider and the end user device. In a comparable 
manner, the user data can be communicated directly to 
the service provider by tunneling the communications 
server. 

[0037] In order to create the privacy receipt data, the 
end user device further communicates the user data to 
the communications server, which creates in response 
thereto the privacy receipt data. 
[0038] Here, it is contemplated that the service pro- 
vider request data include the privacy policy of the serv- 
ice provider, whereby the end user device can commu- 
nicate respective privacy policy data or the privacy pol- 
icy to the communications server. Then, the communi- 
cations server can store the privacy policy data in the 
privacy receipt data. 
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[0039] Again, data exchanges between the service 
provider and the end user device can be encrypted for 
denying access by the communications server or any 
other third party. 

[0040] In order to prove whether the privacy policy for 
the present service provider request for personal infor- 
mation is the actual service provider's privacy policy, it 
is possible to compare the privacy policy for the service 
provider request data and further privacy policy ob- 
tained from the service provider and to inform the end 
user device in case the compared privacy policies are 
different. If the comparison shows that the privacy poli- 
cies are equal the privacy receipt data can be created. 
This comparison can be performed for any format of a 
privacy policy, e.g. a text file. 

[0041] In case of a communications server, a request 
from the communications server can be communicated 
to the service provider for requesting the further privacy 
policy. Then, the requested further privacy policy is 
transmitted to the communications server which com- 
pares the privacy policies for the current service provid- 
er request and obtained from the service provider upon 
the communications server request for warning the end 
user device in case the comparison fails or for creating 
the privacy receipt data. 

[0042] As set forth above, the end user device can re- 
quest the privacy policy by means of respective request 
data for accessing the privacy policy upon receipt there- 
of. In case of a communications server, such privacy pol- 
icy request data can be communicated from the end us- 
er device to the communications server, which commu- 
nicates the privacy policy data or data being indicative 
of the privacy policy data to the end user device. 
[0043] Further, the present invention provides sys- 
tems, devices, components and the like, such as a com- 
munications server, an end user device and a computer 
software program product which are adapted and pro- 
grammed to implement and carry out the underlying ba- 
sic approach according to the invention, in particular the 
creation of privacy receipt data. Moreover, they should 
be adapted and programmed to carry out the method 
according to the invention as defined above. 

BRIEF DESCRIPTION OF THE FIGURES 

[0044] In the following description of preferred em- 
bodiments it is referred to the enclosed drawings where- 
in: 

Figure 1 illustrates a communications envi- 

ronment for use with the present in- 
vention, 

Figure 2 illustrates a part of the communica- 

tions environment of Figure 1 , 1 

Figure 3 illustrates an end user device ac- 

cording to the present invention, 



Figure 4 illustrates a communications server 

according to the present invention, 
and 

5 Figures 5 to 1 0 illustrate data structures according to 
the present invention. 

DESCRIPTION OF PREFERRED EMBODIMENTS 

10 [0045] As shown in Figure 1 , a communications envi- 
ronment being adapted and programmed to carry out 
the present invention comprises a communications 
server 2. Generally, the communications server 2 is part 
of a communications system of an operator, e.g. a GSM 

15 or UMTS network, not shown in the figures. The com- 
munications server 2 allows for and controls communi- 
cations from and to associated end user devices, of 
which,, by the way of example, Figure 1 shows a mobile 
phone 4, a stationary phone 6, a portable computer 8 

20 and a desktop computer system 1 0. 

[0046] For communication purposes, the end user de- 
vices 4, 6, 8 and 10 can establish wireless communica- 
tion links 12 and 14 and wired communication links 16 
and 18. 

25 [0047] Further, the communications server 2 is con- 
nected to systems, networks, devices and the like serv- 
ing as services providers 20, 22 and 24. Communication 
links between the communications server 2 and the 
service providers 20, 22 and 24 can be wired and wire- 

30 less communication links 26, 28 and 30. 

[0048] in the following, it is referred to Figure 2 show- 
ing the communication server 2, the mobile phone 4, the 
wireless communication link 12, the service provider 20 
- and the wired communication link 26 of Figure 1 . 

35 [0049] As shown in Figure 3, the mobile phone 4 com- 
prises an antenna 32 and a sender/receiver unit 34 cou- 
pled thereto. The antenna 32 and the sender/receiver 
unit 34 serve as communication interface for data cbrrr- . 
munications with the communications server 2: For coh- 

40 trolling the operation of the mobile phone 4, a control/ 
processing unit 36 is employed which is operatively cou- 
plet to the antenna 32, the sender/receiver unit 34, at 
least one of a security identity module SIM 38 and a 
wireless identity module WIM 40, and a memory 42. It 

45 j S to be noted that the security identity module 38 and 
the wireless identity module 40 can be embodied as. 
separate units, or as a single unit or units implemented 
in one element, e.g. a chip, providing the functionality 
of SIM 38 and WIM 40. 

so [0050] The communications server 2 comprises r as. 
shown in Figure 4, a communication interface unit 44 for 
communication links to the mobile phone 4 and the serv- 
ice provider 20, a processor unit 46 for controlling its 
operation and a memory 48 for storing data as described 

55 below. " 
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'^..ffi'j Scenario A 

:y-;V/:^[0051] The user (not shown) of the mobile phone 4 

■ v; v. \ wants' a service of the service provider 20 to be deliv- 
/y% ^red/provided. Here fore, the user sends, by means of 
h *\';> \i|the mobile phone4, a service request to the service pro- 
... \ 7."'ilvider 20, either via the communications server 2 or, as 

\ an alternative, directly to the service provider 20. 
^:;.vv4*^[0052] In case, the service request is communicated 
. . to the communications server 2, the communications 
•; i 1 / server 2 forwards the service request to the server pro- 
; : ' ; . vider. 20. Optionally the communications server 2 
"blinds" the service request from the mobile phone 4, i. 
V. e. the source of the request will remain unknown to the 
,j w'-iservice provider 20, and the mobile phone 4 and its user, 
7 ;: ; "'respectively, cannot be identified. 

[0053] For delivering the service requested by the us- 

■ er of the, mobile phone 4, the service provider 20 re- 
^ ,^£quests personal information of the user. Examples for 
sp -isuch personal infonnation include the name, the ad- 
:;1J : ; y (jpess, the geographic location, the bank account, the 

• -credit card number, the age, the sex and like of the user, 
*y '>&■■ : the. phone number of the mobile phone 4, etc. For per- 
sonal information protection, a privacy policy valid for 
the service provider 20 is employed which includes rules 
^and regulations of how personal information is to be ac- 
r _ ! " T'Tcessed, processed, distributed stored, etc. by the serv- 

• ^li- 'ijjee. provider 20. 

/ j [0054] The request for personal information and the 
'^; rv1 >^;4priyacy policy is transmitted to the communications 
ir ;^^*ieryer 2 as a request PIR1 illustrated in Figure 5. The 

• • ^request PIR1 includes a flag Pi-Flag, the detailed per- 

sonal information request PI -Request and the attached 
. privacy policy PP. The flag Pi-Flag informs the receiving 
;; communications server 2 that the data transmitted from 
. the service provider includes a request for personal in- 
formation. 

,r.:::. [0055] Upon receipt of the request PIR1 , the commu- 
■-';„.:.% -nications server reads the enabled flag Pi-Flag and as- 
-.signs a receipt number PI-RN to this information flow. 
'. i. . . Further, the privacy policy PP is removed/cut from the 
^ ^Tgclata received from the service provider 20 and stored 
"as a part of privacy receipt data, which will be described 
* below with reference to Figure 7. 
[0056] The communication server 20 forwards the 
personal information request Pi-Request by means of a 
request PIR2 as shown in Figure 6. The request P1R2 
comprises the detailed personal information request 
Pi-Request, while the privacy policy PP has been re- 
placed by the receipt number PI-RN. The request PIR2 
communicated to the mobile phone 4 can be viewed by 
the user which provides (some or all) personal informa- 
tion in line with the personal information request Pi-Re- 
quest or (partially or completely) refuses to do so. This 
can be accomplished, for example, by filling in/answer- 
ing, accepting or rejecting different fields or questions. 
[0057] In case the user wants to know the privacy pol- 
icy valid for the service provider 20, a respective request 
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is communicated from the mobile phone 4 to the com- 
munications server 2. This request includes the receipt 
number PI-RN, on the basis of which the communica- 
tions server 2 returns the privacy policy PP to the mobile 
phone 4. For this purpose, the receipt number PI-RN 
can be displayed by means of the mobile phone 4 and/ 
or stored in the mobile phone 4, e.g. in the SIM 38, the 
WIM 40 or the memory 42 (see Figure 4). 
[0058] Personal infonnation provided by the user is 
sent to the communications server 2 which answers the 
personal information request from the service provider 
20, for example by filling in respective fields the user 
has allowed to do. Further, the communications server 
2 stores the user's personal information itself and/or 
which kind of personal information has been provided 
by the user in the privacy receipt data. Moreover, the 
communications server 2 includes used security meth- 
ods (e.g. TLS 1 .0 or WTLS) in the privacy receipt data 
and signs the privacy receipt with a time stamp and a 
signature been indicative of the communications server 
2 to protect the user and itself for example of modifica- 
tions of the privacy policy by the service provider 20 after 
having obtained the personal information. 
[0059] In Figure 7, the resulting privacy receipt data 
is shown including the receipt number PI-RN, the priva- 
cy policy PP, the personal information Pi-Data, data SM 
identifying the used security methods, the time stamp T 
and the signature S of the communications server 2. 
[0060] Then, the communications server 2 forwards 
the data generated on the basis of the personal infor- 
mation Pi-Data provided by the user to the service pro- 
vider 20. Upon receipt of the requested personal infor- 
mation or at least a minimum thereof, the service pro- 
vider 20 delivers the requested service. In case, the 
communications server 2 has "blinded" the mobile 
phone4with respectto the service provider 20, the com- 
munications server 2 has to map between the service 
provider 20 and the mobile phone 4 for delivering the 
requested service. Otherwise, the service can be deliv- 
ered directly to the mobile phone 4. 
[0061] Assuming, the user of the mobile phone 4 
wants to access the privacy receipt data stored by the 
communications server 2, e.g. in case of alleged viola- 
tion of the privacy policy the user has agreed upon, a 
privacy receipt request is sent from the mobile phone 4 
to the communications server 2 which returns the re- 
quested privacy receipt data on the basis of the receipt 
number PI-RN included in the privacy receipt request. 
[0062] It has to be noted, that a privacy receipt req uest 
can be issued from the mobile phone 4 anytime during 
or after the above described procedure independently 
of the data actually included in the privacy receipt data 
as long as the receipt number PI-RN is available for the 
mobile phone 4. 

[0063] Optionally, the personal information Pi-Data 
provided by the user by means of the mobile phone 4 
can be stored in the mobile phone 4 instead of inserting 
the personal information Pl-data in the privacy receipt 
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data. In this case, the personal information Pi-Data can 
be merged with a privacy receipt requested from the 
communications server 2 upon receipt by the mobile 
phone 4. 

Scenario B 

[0064] Assuming, the user of the mobile phone 4 
wants to contact the service provider 20 for data com- 
munication purposes in a way that the communications 
server 2 is not allowed to access and read data ex- 
changes between the mobile phone 4 and the service 
provider 20 and in particular personal information pro- 
vided by the user, the following procedure can be em- 
ployed. 

[0065] Comparable to scenario A, a service request 
is transmitted from the mobile phone 4 to the service 
provider 20. Then, security methods to be employedfor 
data communications between the mobile phone 4 and 
the service provider 20 are negotiated and agreed upon, 
for example encryption, authentication, certification 
methods and the like. 

[0066] Then, the service provider 20 sends a request 
PIR3 illustrated in Figure 8 to the communications serv- 
er2. The request PIR3 is protected by the security meth- 
ods agreed upon, for example the request PIR3 is at 
least partially encrypted. The employed security meth- 
ods must ensure that the communications server 2 can 
recognize/read the flag Pi-Flag in order to be informed 
that personal information is requested by the service 
provider and that a privacy receipt has to be created. 
[0067] Further, the security methods should allow that 
the communications server 2 can remove the privacy 
policy PP as described above. For example, the request 
PIR3 can be encrypted such that only the detailed per- 
sonal information request Pi- Request is encrypted while 
the flag Pi-Flag and the privacy policy PP are not en- 
crypted. As an alternative, the privacy policy PP can be 
encrypted and marked by a further flag such that the 
communications server 2 can remove the privacy policy 
PP by means of this flag. Since in this scenario the se- 
curity method employed by the mobile phone 4 and the 
service provider 20 can be considered as an individual 
privacy policy for the mobile phone 4 and the service 
provider 20, the security methods can be included in the 
privacy policy PP. 

[0068] Upon receipt of the request PIR3, the commu- 
nications server 2 "notices" the flag Pi-Flag and assigns 
a receipt number PI-RN to this request. Further, the 
communications server 2 detaches the privacy policy 
PP and stores the same together with the receipt 
number Pl-RN in the privacy receipt data, which will be 
discussed below with reference to Figure 10, 
[0069] Such an encryption of the request PIR3 is il- 
lustrated in Figure 8 wherein the parts in italics indicate 
encrypted data. 

[0070] Following, the communications server 2 trans- 
mits a request PIR4 to the mobile phone 4 including the 



receipt number Pl-RN and the encrypted personal infor- 
mation request Pi-Request, as shown in Figure 9. Com- 
parable to the request PIR2 (see Figure 6), the request 
PIR4 does not include the privacy policy PP. The por- 

5 tions in italics of Figure 9 illustrate data being encrypted. 
[0071 ] The mobile phone 4 decrypts the request PIR4 
and (partially or completely/answers or rejects the per- 
sonal information request, encrypts the provided per- 
sonal information Pi-Data and returns the same to the 

10 communications server 2. 

[0072] The communications server 2 stores the en- 
crypted personal information Pi-Data from the mobile 
phone 4 in the privacy receipt data and includes, as de- 
scribed above, further data which results in the privacy 

15 receipt data illustrated in Figure 1 0. Again, the portions 
in italics of Figure 10 indicate encrypted data. 
[0073] The encrypted personal information Pi-Data 
are forwarded to the service provider 20 which in re- 
sponse thereto delivers the requested service to the mo- 

20 bile phone 4. 

[0074] Optionally, the personal information Pl-data is 
sent in two copies encrypted with different keys to the 
communications server 2. The first copy is encrypted 
with the key of the user for storing in the privacy receipt 

25 data and decryption by the user. The second copy is en- 
crypted by the public key of the service provider and for- . 
warded to the service provider for decryption: Alterna- 
tively, a single encrypted copy of the personal informa- 
tion Pl-data is sent. 

30 [0075] The letter option requires however that both 
the user and the service provider can decrypt the infor- 
mation. This may lead to problems since it is difficult to 
administrate such a decryption by the user and the serv- 
ice provider if a key pair is attributed for each combina- 

35 tion of a user with a service provider. 

[0076] As described with respect to the scenario A, 
the mobile phone 4 can access the privacy receipt-data 
be means of a respective privacy receipt request. Here, 
it has to be noted thatthe security methods agreed upon 

40 should be available to the mobile phone 4 for decrypting 
encrypted data portions. 

Scenario A + B 

45 [0077] A combination or mixture of the scenarios A 
and B is also possible, e.g. for personal information re.- 
quests for filling functions, for any information like geo- 
graphic location of the mobile phone 4 or personal pref- 
erences of the user and for performing data communi- 

so cations between the mobile phone 4 and the service pro- 
vider 20 including encrypted and non-encrypted datai 

Scenario C 

55 [0078] In the following, a procedure is described 
wherein at least a part of data communications between 
the mobile phone 4 and the service provider 20 are per- 
formed directly between the same by "tunneling" the 
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r'^>;^;.>;i> ^communications server 2, i.e. the communications serv- 
" . er 2".- can not access data traffic between the mobile 

•? - - phone 4 and the service provider 20. 

rr-H* J £>: "[0079] Up to the point, were security methods are 
. : " : ; *'* r. agreed-upon for data communications between the mo- 
, j" :p\\e phone 4 and the service provider 20 f the procedure 

L/X .^:pf .scenario C corresponds with the respective steps de- 
'/:■ -. j " scribed with respect to scenario B. Here, the security 
^method to be employed includes an agreement that the 
■*£/*">•■■. ; communications server 2 is to be tunneled. 

.". ;-y ";■ J008Q] Then , the service provider 20 transmits a per- 
&'iJ: -} : 'sson'al information request to the mobile phone 4, where- 
~ r - ' in .the. above described flag Pi-Flag is not required- Op- 
:; -;,'}{'. ; fictionally, the service provider 20 includes its privacy pol- 
icy in this request. 
i> l\ ' : ~ [0081] In response to the request, the mobile phone 
4 returns personal information to the service provider 20 
*: e -u^.t ^ .J: „ .^and -further sends the personal information as, optionally 
f V-;5^enerypted, data to the communications server 2 for stor- 
' ;.age. 

T: ^ ; : [0082] For the generation of a pnvacy receipt, the 

y^-rxr. .- .communications server 2 assigns a receipt number to 
■■ r ..y..\-'/, the encrypted personal information obtained from the 

• ; mobile phone 4 and returns the receipt number to the 
v - ' . . mobile phone 4. As described above, the privacy receipt 

^fepan include a time stamp, a signature associated to the 
W* : 4 : - S - .communications server 2 and the like. 

* \± ,([0083] For obtaining the privacy receipt from the com- 
' - . ! munications server 2 by the mobile phone 4, it is referred 
-?t?^$&0ry :4td the description given above. 

r;-5?T? r vv ^^[0084] For including the privacy policy in the privacy 
. t "receipt, the privacy policy received from the service pro- 
vider in the personal information request is forwarded 
by the mobile phone 4 to the communications server 2. 
For an enhanced level of security, is possible that the 
communications server 2 further requests the privacy 
.c' . policy from service provider 20 and compares the priva- 

?ff?-£k~ h ;j.*-^py policies received from the mobile phone 4 and from 
W -;, ..the service provider 20. In case the comparison shows 
•i^'-^i..fc::jythat=the received privacy policies are equal, the privacy 
Or^;:*-- ; /^policy is stored in the privacy receipt. Otherwise, the 
'f r'r^jtc'ommunications server 2 warns the user of the mobile 
phone 4 by communicating a respective warning mes- 
sage. 

Scenario D 

[0085] As an alternative to or as an additional option 
for the above described embodiments, the providing of 
personal information to the service provider 20 can be 
performed by the communications server 2 in accord- 
ance with indications obtained from the mobile phone 4 
and defined by its user, respectively. Such indications 
or indicator data comprise information for the communi- 
cations server 2 which kind of personal data the user 
allows to be transmitted to the service provider 20 in re- 
sponse to a request for personal information. For exam- 
ple, the indications inform the communications server 2 



that, upon a request from the service provider 20, the 
name, the address, the bank account, the credit card 
number and the like of the user may be provided to the 
service provider 20. This manner of providing personal 
s information to the service provider 20 has the advantage 
that the user and the mobile phone 4, respectively, are 
not involved in the actual providing of personal informa- 
tion resulting in an enhanced comfort for the user and a 
reduced amount of data to be communicated between 
10 the mobile phone 4 and the communications server 2. 
In case the service provider request for personal infor- 
mation is in the form of a list or a questionnaire, the com- 
munications server 2 fills in the respective fields or an- 
swers the respective questions in accordance with the 
15 indications from the mobile phone 4. 

[0086] Moreover, this manner of providing personal 
information to a service provider allows the communi- 
cation of personal information which actually cannot be 
provided by an end user device or its user or can only 
20 provided with additional efforts. Examples for such per- 
sonal information include the geographic location of an 
end user device and its user, respectively, actually avail- 
able data transmission rates or bandwidth, reliability of 
communications links and the like. Further, such per- 
25 sonal information can often be provided by communica- 
tions server, e.g. in case of a communications server 
acting as mobile environment operator the end user de- 
vice's location. Then, upon a respective indication, the 
communications server will provide such personal infor- 
30 mation in accordance with the indication. 

[0087] For example, a user regularly ordering from a 
food delivery service which requests for each order the 
name, the address and the credit card number of the 
user is relieved from providing each time this informa- 
35 tion. Thus, employing the previously described provid- 
ing of personal information by the communications serv- 
er 2 simplifies such service requests for the user. On the 
other hand, this procedure does not impair the security 
for personal information since the user knows what kind 
40 of personal information has to be provided to the food 
delivery service, has agreed to provide the necessary 
information in view of a respective privacy policy and 
has allowed the communications server to provide these 
information, otherwise no food order would be accom- 
45 plished. 

Further options 

[0088] It is possible that the user of the mobile phone 
so 4 can agree to forward a special set of personal infor- 
mation to the service provider 20 orfurther user related 
information, such as technical data of the mobile phone 
4. Such data can be handled in manner comparable to 
the above personal information with respect to the trans- 
55 mission to the service provider 20, the privacy receipt 
data, storage by the communications server 2 and the 
mobile phone 4, encrypting, etc. 
[0089] This can be accomplished by providing the 
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communications server 2 respective data and allowing 
to transmit the data, advantageously stored by the com- 
munications server 2, automatically to the service pro- 
vider 2 in response to a service provider request for per- 
sonal information and/orthe provision of personal infor- 
mation. 

[0090] Further, data to be automatically forwarded 
can be provided by the mobile phone 4, e.g. stored in 
the SIM 38, the WIM 40 or the memory 42, and commu- 
nicated to the communications server 2 and the service 
provider 20 in dependence of the actually scenario. 
[0091] This makes it easier for the user to obtain a 
requested service by the service provider 20, in partic- 
ular when (personal) information is often or regularly re- 
quested. Additionally, this procedure minimizes data 
communications between the mobile phone 4 and the 
communications server 2. For personal information pro- 
tection purposes, such an automatic forwarding of (per- 
sonal) information to the service provider 20 should be 
allowed only when the user of the mobile phone 4 actu- 
ally agrees to provide personal information with respect 
to a currently requested service. 
[0092] In order to minimize data stored by the com- 
munications server 2 and/or the mobile phone 4, it is 
possible to check whether the actually received privacy 
policy relating to a currently requested service Is already 
stored. In that case, no further storing of the privacy pol- 
icy is necessary. 

[0093] In order to access the privacy receipt an icon 
can be provided on a display of the end user device. 
Such an icon can have a different appearances in de- 
pendence of personal data was transmitted to a service 
provider or not. Preferably, a list of service providers to 
which personal data was transmitted is displayed when 
the icon is accessed, and, in response to a selection of 
a desired personal information transmission from the 
list, a respective privacy receipt for a selected service 
provider is provided, e.g. downloaded to the end user 
device. 

[0094] For example the icon can have the form of an 
eye comprising the following appearances and function- 
alities: 



Applications example 

[0095] Just by the way of example for carrying out the 
present invention, the following application is described. 
A user wants a pizza to be delivered, wherein the pizza 
should be hot and paid in cash. The operator (i.e. the 
communications server in terms of the previous descrip- 
tion) has stored a "pizza profile" of the user which in- 
cludes personal information of the user to be provided 
in relation to pizza orders. The user chooses a pizza de- 
livery service from the operator which in response there- 
to forwards the request to a pizza company for delivery. 
The pizza company requests for example the location, 
the credit card number and the pizza profile of the user 
and also communicates its privacy policy to the opera- 
tor. The operator creates a privacy receipt and forwards 
the request to the user. Then, the user agrees to provide 
information related to the location and the pizza profile 
but denies to provide the credit card number. This re- 
sponse of the user is sent to the operator which fills in 
the location and the user's pizza profile, but not the cred- 
it card number, and forwards it to the pizza company. 
The operator stores which kind of personal information 
has been sent to the pizza company. 
[0096] Referred to the above described icon, the eye 
has been switched on, i.e. the eye is open, when the 
agreement of the user for providing personal information ' 
has been sent to the operator. The user can click the 
eye for having a list of services to which personal infor- 
mation has been sent to be provided. For example, the 
user chooses the pizza delivery service and thereby re- 
quests the respective privacy receipt from the operator 
which returns the same to the user. 



35 

Claims 

1 . A method for personal information access control 
for user data requested by a service provider (20); 
40 comprising the steps of: 

Providing service provider request data (PIR1 ; 
PIR3) from a service provider (20) to an end 
user device (4), the service provider request 
data (PIR1 , PIR3) being indicative of personal 
information of a user of the end user device (4) 
to be accessed by the service provider (20), ^ ■■ 
providing to the service provider (20) first user 
data (Pi-Data) including at least one of personal 
information of the user as requested by the 
service provider (20) and rejections of personal 
information requested by the service provider 
(20), 

creating privacy receipt data including at least 
one of the first user data (Pi-Data) or parts 
thereof and data being indicative of the service 
provider (20), and 

providing the privacy receipt data for access by; 



Closed eye: no personal information is provided. 

45 

Open eye: personal information has been provided 
during the actual session. In this context a session 
can be a "switched on" period for communications 
to and from the end user device or a pre-defined 
lifetime. 50 

As explained above, the eye can be used for ac- 
cessing the history of personal information trans- 
mission to third parties, i.e. accessing privacy re- 
ceipts. 55 
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: ; the end user device (4). 

;,; 2. The method of claim 1 , wherein a privacy policy is 
,.,yalid for the service provider (20). 

rThe method according to claim 1 or 2, wherein com- 
munications between the end user device (4) and 
• - " the service provider (20) are performed via a com- 
" munications server (2). 

4. The method according to one of claims 1 to 3, 
g : - wherein the first user data (Pl-data) is provided by 
- [the end user device (4) to the service provider (20). 

^ 5. The method according to claim 3 or 4, wherein the 
f%* ijfirst user data (Pl-data) is provided by the commu- 
>y^--y nications server (2) to. the service provider (20) in 
^Accordance with indications of the end user device 

V - i{4) of personal information to be provided to the 

^ v service provider (20). 

6. The method according to one of claims 1 to 5, 
wherein the privacy receipt data is provided in re- 
sponse to privacy receipt request data from the end 
user device (4). 

'., 7. The method according to one of claims 1 to 6, com- 
: t -/. -prising, at least one of the steps of: 

communicating an end user device service re- 
k-/ quest to the service provider (20), the end user 
device service request being indicative of a re- 
quest from the end user device (4) for a service 
to delivered by the service provider (20), and 
delivering a service by the service provider (20) 
upon receipt of the personal information (Pi-Da- 
ta). 

>-8. The method according to one of claims 3 to 7, com- 
. \l .prising the steps of: 

. - communicating the service provider request 
data (PIR1, PIR3) from the service provider 
(20) to the communications server (2) 
creating the privacy receipt data by the commu- 
nications server (2), 

generating, by the communications server (2), 
communications server request data (PIR2, 
PI R4) being indicative of the requested person- 
al information, and 

communicating the communications server re- 
quest data (PIR2, PIR4) from the communica- 
tions server (2) to the end user device (4). 

9. The method according to claim 8, comprising the 
steps of: 

communicating the first user data (Pi-Data) 



from the end user device (4) to the communi- 
cations server (2), and 

communicating, from the communications 
server (2) to the service provider (20), commu- 
nications server data including at ieast portions 
of personal information in accordance with the 
first user data (Pi-Data). 

10. The method according to one of claims 3 to 9, com- 
10 prising the steps of: 

communicating indicator data from the end us- 
er device (4) to the communications server (2), 
the indicator data being indicative of personal 
is information to be provided to the service pro- 

vider (20), and 

communicating, from the communications 
server (2) to the service provider (20), commu- 
nications server data including personal infor- 
20 mation according to the indicator data. 

1 1 . The method according to one of claims 3 to 1 0, com- 
prising at least one of the steps of: 

25 - Communicating the service provider request 
data (PIR1 r PIR3) from the service provider 
(20) directly to the end user device (4) by tun- 
neling the communications server (2), and 
communicating the first user data (Pi-Data) 

30 from the end user device (4) directly to the serv- 

ice provider (20) by tunneling the communica- 
tions server (2). 

12. The method according to claim 11 , comprising the 
35 steps of: 

furthercommunicatingthefirstuserdata(PI-Da- 
ta) from the end user device (4) to the commu- 
nications server (2), and 
40 - creating the privacy receipt data by the commu- 
nications server (2) upon receipt of the first user 
data (Pi-Data). 

13. The method according to one of claims 2 to 1 2, com- 
45 prising the step of: 

Including privacy policy data (PP) being indic- 
ative of the privacy policy in the service provider 
request data (PIR1, PIR3). 

50 

14. The method according to claim 13, comprising the 
steps of: 

removing the privacy policy data (PP) from the 
55 service provider request data (PIR1, PIR3), and 

including the privacy policy data (PP) or pointer 
data being indicative of the privacy policy data 
(PP) in the privacy receipt data. 
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15. The method according to one of claims 1 to 14, 
wherein the service provider request data (PIR1, 
PI R3) provided to the end user device (4) comprises 
receipt number data (Pl-RN) being assigned to the 
providing of the service provider request data 
(PIR1, PIR3). 

16. The method according to claim 15, wherein the re- 
ceipt number data (Pl-RN) is stored in the privacy 
receipt data. 

17. The method according of claims 13 to 16, compris- 
ing the steps of: 

communicating the privacy policy data (PP) 
from the end user device (4) to the communi- 
cations server (2), and 

including the privacy policy data (PP) in the pri- 
vacy receipt data by the communications serv- 
er (2). 

1 8. The method according to one of claims 1 to 1 7, com- 
prising the steps of: 

Comparing privacy policy data (PP) for the 
service provider request data (PIR1 , PIR3) and 
further privacy policy data obtained from the 
service provider (20). 

19. The method according to claim 18, comprising at 
least one of the steps of: 

providing warning data to the end user device 
(4) if the comparing fails, the warning data in- 
dicating that the privacy . policy data for the serv- 
ice provider request data (PIR1 , PIR3) and the 
further privacy policy data are not equal, and 
creating the privacy receipt data, if the compar- 
ing indicates that the privacy data policy (PP) 
for the service provider request data (PIR1, 
P1R3) and the further privacy policy data are 
equal. 

20. The method according to claim 18 or 19, comprising 
the steps of: 

Communicating communications server priva- 
cy policy request data from the communica- 
tions server (2) to the service provider (20), the 
communications server privacy policy request 
data being indicative of the further privacy pol- 
icy data, 

communicating the further privacy policy data 
from the service provider (20) to the communi- 
cations server (2), and 

performing the comparing of the privacy policy 
data by the communications server (2). 
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21. The method according to one of claims 1 to20, com- 
prising the steps of: 

- Communicating privacy policy request data 
from the end user device (4), the privacy policy 
request data being indicative of a request of the 
end user device (4) to access the privacy policy 
data(PP), and 

- communicating the privacy policy data (PP) to 
the end user device (4) for access by the end 
user device (4). 

22. A communications server, comprising 

Communication means (44) for data communi- 
cations with at least one of an end user device 
(4) and a service provider (20), and 

- means (46, 48) for creating privacy receipt data 
being indicative of personal information provid- 
ed by the end user device (4) upon request by 
a service provider (20). 

23. The communications server according to claim 22, 
wherein at least one of the communication means 
(44) and the means (46, 48) for creating privacy re- 
ceipt data are adapted and programmed to carry out . 
the steps according to one of the claims 1 to 21 . 

24. An end user device (4), comprising: 

- Communication means (32, 34) for data corii- 
munications with at least one of a communica- 
tions provider (2) and a service provider (20) r 
and 

- means (36, 38, 40, 42) being adapted and pro-., 
grammed to carry out the steps according to 
one of the claims 1 to 21 . 

25. A computer program product, comprising: 

program code portions for carrying out the 
steps according to one of the claims 1 to 21 . : 

26. The computer program product according to claim 
25, stored on a computer readable recording medi- 
um. 
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